* Mon Feb 11 2013 David Knox <<a href="mailto:dknox@redhat.com">dknox@redhat.com</a>> 0:6.0.24-50<br />
- Resolves: rhbz 882010 CVE-2012-3439 CVE-2012-5885 CVE-2012-5886 CVE-2012-5887<br />
- three DIGEST authentication issues<br />
<br />
The patch tomcat6-6.0.24-CVE-2012-3439-rhbz-882010.patch for this change is<br />
wrong & non-working.<br />
<br />
If you compare hunk @@ -250,19 +252,19 @@ of DigestAuthenticator.java<br />
to hunk @@ -263,18 +264,19 @@ of the original diff at<br />
<a href="http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java?view=log&pathrev=1380829">http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java?view=log&pathrev=1380829</a> [<a href="http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java?view=log&pathrev=1380829" target="_blank">^</a>]<br />
you see that the line<br />
<br />
+ if (principal != null && digestInfo.isNonceStale()) {<br />
<br />
is missing the exclamation mark (negation) before digestInfo.isNonceStale().
↧
